OCR Labs denies breach report details, patches vulnerability
A vulnerability allegedly exposing sensitive credentials of Australian financial institutions has been closed by OCR Labs, after being discovered and disclosed by Cybernews researchers. The biometric liveness detection API used by OCR Labs is among the exposed data, according to the report.
OCR Labs takes issue with details in the report, however, telling Biometric Update that the API is used to create Liveness sessions, which are ephemeral and cannot be recalled once complete. No personally identifiable information was accessible, therefore.
“There was never a data leak or breach in any of our systems,” says Paul Warren-Tape, GM of APAC for OCR Labs, in a response statement shared with Biometric Update.
The data was made accessible through a misconfigured and publicly accessible environment file used by OCR Labs product IDKit.com, which provides bank-grade identity verification with selfie biometrics. The file included database credentials, including for access to Amazon Web Services and Simple Queue Service (SQS), along with API keys.
Australia’s Qbank, which caters mostly to government agency workers, Defence Bank, which serves the countries armed forces, and residential mortgage provider MA Money, were all affected. The UK’s Bloom Money and Admiral Money, as well as recruitment service Reed, were also impacted, according to Cybernews.
“Investigations lead by third party cyber security specialists unequivocally concluded that, at no stage, was there any threat to QBANK Member data,” Qbank said in a statement.
OCR Labs says it took all necessary steps to address the vulnerability immediately on learning of it. The company follows a vulnerability disclosure program (VDP) framework to ensure transparency and security.
The leaked data included API keys for Liveness and credit reporting agency Experian, and credentials for OCR Labs’ Engine v4, which is used for KYC checks, and therefore connects to sensitive customer data.
An internal investigation by OCR Labs shows no risk to the security of any client’s data.
“After extensive investigation, we can unquestionably confirm the discovered configuration related to invalid and placeholder credentials were for unused demo and placeholder environments. These are all non-production environments and pose no risk to the security of our client’s data or our systems,” says Warren-Tape.
He also noted that OCR Labs acknowledges the need to secure even “demo or placeholder environments with invalid credentials” as it does production environments.
The company says it is now seeking independent legal advice on the allegedly inaccurate reporting, on the advice of the Australian Cyber Security Centre.
OCR Labs was recently approved to the UK’s DIATF for right-to-work checks.
Article Topics
API | cybersecurity | IDKit | OCR Labs
Comments